Install Turn server for Synapse (Matrix) on CentOS / RHEL

If you are enjoying using Synapse as your own private chat server you will probably at some point want to use it also as voip/video service. Here are the steps on how to do it. I’m using server that is not behind NAT and has public IP, so have that in mind.

My LAB config

Little guide on the IPs and names for tutorial:

I’m using only public IP (no NAT) for Turn in this tutorial and it will be –

My turn has own subdomain defined in DNS and we will call it

Matrix/Synapse server is installed on


Run following command to install Turn on your CentOS server

sudo yum install coturn

Turn Configuration

Installation is done in /etc/coturn. In that directory there is turnserver.conf file which we will need to edit

sudo vi /etc/coturn/turnserver.conf

We will go from the beginning to the end of file and enable necessary and secure things for out Turn server.

First, Turn listener port for TLS. We only want secure communication.


Listening IP. Enter IP on which port 5349 will wait for connections.


Under external-ip you will enter your public/internet facing ip.


We will also need to enable range of UDP ports.


We will also enable use-auth-secret


We will also need to create static-auth-secret. You need to change it to something more complex. Also, remember this secret, you will need to enter exact same secret to your syanpse configuration later on.


One way to generate more complex secret is by running pwgen.First we will install this util.

sudo yum install pwgen

And then run a command

pwgen -s 64 1

The result will be something like this.

Next value we need to change is realm. You need to enter domain on which your synapse/matrix installation resides.

We will also enable no udp option.


You will also need to define public and private cert locations for your tls connection to work. Change default rules below. “cert=” is for public part and “pkey=” for private part of the cert. I renamed my certs to the names written below to match names in turn config files.


I don’t need cli, so I will disable it by uncommenting no-cli option.


We will also need to open few firewall ports. Ports for 63000-64545 are optional and not needed in this scenario, but they are here for reference.

sudo firewall-cmd --permanent --add-port=5349/tcp
sudo firewall-cmd --permanent --add-port=5349/udp
sudo firewall-cmd --permanent --add-port=63000-64535/udp
sudo firewall-cmd --reload

Synapse/Matrix Configuration

We need to also edit homeserver.yaml file in Synapse configuration and enter Turn configuration so that Synapse knows it is there.

Best to add Turn configuration to end of the homeserver.yaml file.

Change to your turn domain/subdomain, and enter shared_secret you created under turn_shared_secret. Remember, it has to be the same secret you entered into turn config file.

## Turn ##

# The public URIs of the TURN server to give to clients
  - ""
  - ""

# The shared secret used to compute passwords for the TURN server
turn_shared_secret: "ThisIsYorSecretCHANGEME"

# How long generated TURN credentials last
turn_user_lifetime: "1h"

Start Turn Server

After all is done, reboot server, run first Synapse server and then start Turn server with following command

sudo turnserver -L -o -a -b turnserver.conf -f -r

You can also define ports you would like to turnserver listen to, then this command would be like

sudo turnserver -L -o -a -b turnserver.conf -f -r

Combine the start command the way you see best fit.

That is it, this is the configuration that is working for me, it is not perfect, there are errors when you start Turn config sometimes (I get ERROR set_ctx and ERROR cannot set DH), other times there are some weird glitches, like errors saying that I cannot combine auth-secret with classic login, although I only have auth-secret enabled, and few other minor details. Nothing serious that will prevent Turn from working. In practice, it is working very nice despite all the small bugs.